Maximilian Wilhelm <max@xxxxxxxxxxx> writes:
> Did anyone here already build such a setup [linux as CGNAT router]?
I have some derpy non-expert comments, below.
> What resources would be required on the Linux box? I would assume any
> decent server CPU with 6+ cores will be fine and 16-32GB of RAM would
> suffice for storing the conntrack mappings?
Obligatory question whenever CGNAT comes up:
Can you just use IPv6 instead? ;-)
When I was doing NAT for up to 1000 desktops,
I looked into conntrack table size, and
concluded it was not worth even worrying about.
>From first principles, the NAT record is basically a struct like
(orig_ip, orig_port, nat_ip, nat_port)
Which for IPv4 is only like 10 bytes or something.
So in 10MiB you can remember 10Mi concurrent flows.
I looked for a quick sanity-check of that and I found this old post
which reckons 32K concurrent flows in 512MB:
https://wiki.khnet.info/index.php/Conntrack_tuning
Another old post estimates about 350b/flow, so about 10MB = 28K flows:
https://www.cyberciti.biz/faq/ip_conntrack-table-ful-dropping-packet-error/
Obviously those numbers don't line up too well.
Next step is probably to dig through the kernel's Documentation/ tree
for notes about conntrack limits.
